Download Blank Third Party Assessment








Type : Vendor Assessment



Short Name	Question / Description		Answer / Value

Name	Enter the name

TPA: Project Name	Whirlpool project name requesting third party or service provider connection					*

TPA: Project Owner	Whirlpool project owner requesting third party or service provider connection					*

TPA: Business Area	Whirlpool business area or process supported by the third party or service provider					*

TPA: Service Provider Name	Service provider company name					*

TPA: Service Provider Contact	Service provider or third party contact					*

TPA: Target Implementation Date	Target implementation date			*

TPA: CISO	Vendor Chief Information Security Officer (CISO) or equivalent					*

TPA: User Directory	Choose the user directory used to manage security and provisioning of access on your internal network			*

TPA: OS and database	List the operating system and database used to manage Whirlpool data		Select any number			*
			Mainframe
			Unix
			AS400
			Windows
			Oracle
			DB2/UDB
			MS SQL
			Other

TPA: Datacenter location	List the location of the datacenter that hosts Whirlpool data					*

Short Name	Question / Description		Answer / Value		Comments

WVA: Organizational Security and Privacy 1	Has a complete and current Information Security policy been established?		Yes	*

WVA: Organizational Security and Privacy 2	Are retention and destruction requirements documented and followed for different classifications of data?		Yes	*

WVA: Organizational Security and Privacy 3	Are documented guidelines followed to review relevant laws and regulations; including but not limited to, privacy protection, international privacy law, or data security and their impact to the organizations IS controls?		Yes	*

WVA: Organizational Security and Privacy 4	Have documented incident management procedures been established to ensure a timely, effective and orderly response to security incidents including coordination with key partners and customers?		Yes	*

WVA: Organizational Security and Privacy 5	Are documented policies followed for enforcing segregation of duties?		Yes	*
					What types of audits are performed?	2
WVA: Organizational Security and Privacy 6	Are audits performed to ensure compliance of systems with organizational security policies and standards?		Yes, external audits are performed on a periodic basis.	*	SAS-70 , SOX Audit

WVA: Organizational Security and Privacy 7	How often are documented audits/reviews performed of Third Party’s security controls for compliance with service and delivery levels in the agreement?		Semi-annually	*

WVA: Employment Security 1	Do employees sign a confidentiality (non-disclosure) agreement as part of the initial terms and conditions of employment?		Yes	*

WVA: Employment Security 2	Are verification (background) investigations conducted on applicants for permanent employment, including third party contractors, vendors, and consultants?		Yes for all applicants and is required by contract by any third party vendors	*

WVA: Employment Security 3	Are documented guidelines followed for providing security awareness training (SAT) to all personnel?		Yes, training is required at least annually	*

WVA: Business Continuity 1	Are controls in place to ensure that back-ups of business information are completed on a regular basis?		Yes, full back-ups are performed weekly	*

WVA: Business Continuity 2	Are controls in place to ensure that backed-up information, records of the back-up copies, and documented restore procedures be stored in a remote location?		Yes, back-up are retained off-site at a distance greater than 15 miles	*

WVA: Business Continuity 3	Do policies and procedures exists in to ensure that controls applied to media at the main site are extended to the back-up site?		Yes, controls are in place are greater than the main site	*

WVA: Physical Security 1	Have controls been established to ensure that physical access to areas with confidential information, and information systems be controlled and restricted to authorized persons only?		Yes, documented approval required with physical access controlled by an electronic card key	*

WVA: Physical Security 2	Are documented guidelines followed for granting access to visitors?		Yes, sign in and data center manager approval required	*
					When are the audits performed?	2
WVA: Physical Security 3	How often are reviews of access rights to secure areas are conducted?		Access rights are reviewed semi-annually	*	After Every 6 month(dec and july)

WVA: Physical Security 4	Are controls in place to address the possibility of damage from fire in secure areas?		Yes, fire detection in place with automated fire suppression system in place	*

WVA: Physical Security 5	Have controls been established to ensure uninterruptible power supplies (UPS) are put in place to protect critical equipment from power failures?		Yes, equipment protected by UPS and generator back-up	*

WVA: Software Development 1	Are documented guidelines followed to separate development, test and production (operational) environments?		Yes	*

WVA: Software Development 2	Are all security requirements identified and justified during the requirements phase of projects?		Yes	*

WVA: Software Development 3	Are formal procedures and management responsibilities defined and documented to require satisfactory control of all changes to equipment, software or procedures including formal approval, recording, and communication of changes?		Yes	*

WVA: Software Development 4	Do documented guidelines require static code testing, vulnerability scanning, and web application scanning of applications before migration to production		N/A	*

WVA: Software Development 5	Do technical compliance checks include static code tests, vulnerability scans, and web application scans for existing systems and applications?		Yes, all three types of testing are deployed at every release	*

WVA: Software Development 6	Have controls been established to protect the storing of confidential data on local devices ?		Yes, local encryption required	*

WVA: Security Operations 1	How often are security logs reviewed?		Security logs contain user ID, failed log-ins, and other security events and are reviewed weekly	*

WVA: Security Operations 2	Are documented guidelines followed to ensure access controls of mobile devices (Laptops, PDA’s Etc.) ?		Yes, encryption required	*

WVA: Security Operations 3	Have all critical systems with real-time clocks had their time set and synchronized with a common Network Time Protocol (NTP) service?		Yes	*

WVA: Security Operations 4	Are cryptographic systems and techniques used for storage of information that is considered confidential?		Yes, for all confidential data	*

WVA: Security Operations 5	Have controls been established to ensure the handling of compromised keys?		Yes, compromised key is revoked	*

WVA: Security Operations 6	How often are security or vulnerability patches applied?		Patches are applied more frequently than monthly	*

WVA: Security Operations 7	Have controls been established to ensure installation and regular update of anti-virus software to protect computers on a precautionary or routine basis?		Yes, virus definitions are updated daily	*

WVA: Security Operations 8	Do the media handling procedures ensure the safe and secure storage of media containing confidential information?		Yes	*

WVA: Security Operations 9	Do the media handling procedures ensure the safe and secure disposal of electronic media containing confidential information?		Yes, media is disposed in a way that renders the data irretrievable	*

WVA: Security Operations 10	Do the media handling procedures ensure the safe and secure disposal of paper documents containing confidential information?		Yes, media is disposed in a way that renders the document irretrievable	*

WVA: Security Operations 11	Is access to the modify job schedules limited to authorized personnel?		Yes	*

WVA: Security Operations 12	Have mechanisms been implemented to protect electronically published information (web sites, ftp, etc)?		Yes, PGP or other enhanced encryption	*

WVA: Security Operations 13	Have mechanisms been implemented to protect information on media in transit between organizations (i.e. backup tapes)?		Yes, secure package handling controls	*

WVA: Security Operations 14	Are the domains with different security needs separated by secure gateways?		Yes, DMZ’s exist for internal and external network	*

WVA: Security Operations 15	Are documented guidelines followed for the secure exchange of confidential information to prevent the unauthorized disclosure and misuse?		Yes, documented and encryption is always required	*

WVA: Security Operations 16	Are documented guidelines followed to safeguard the confidentiality and integrity of data passing over wireless networks?		Yes, WEP encryption	*

WVA: Security Operations 17	Have mechanisms been implemented to protect confidential information contained in electronic mail (Email) between organizations?		Yes, SSL/TLS is required	*

WVA: Password Controls 1	Does the authentication method to gain access to the network utilize passwords?		Passwords are used	*

WVA: Password Controls 2	What is the minimum password length available to end-users?		Requires at least 6 characters	*

WVA: Password Controls 3	How often are end-users forced to change their passwords?		Quarterly	*

WVA: Password Controls 4	What are the minimum password complexity requirements being enforced for end-users?		Mixed case alphabetic, numeric, and plus special characters	*

WVA: Password Controls 5	Are end-users restricted from using previous passwords (password history)?		No password re-use restrictions	*

WVA: Password Controls 6	Are users forced to change their password during first login?		Users are forced to change passwords on first login	*

WVA: Password Controls 7	Are passwords hidden during authentication?		Passwords characters are masked	*

WVA: Password Controls 8	Is a complete & current mechanism in place to report & reset lost or compromised passwords?		Secure self service password reset mechanism	*

WVA: Infrastructure Access 1	When authentication fails, is the user informed of which portion of the authentication process failed?		Message indicates which portion of the authentication process failed	*

WVA: Infrastructure Access 2	Are authentication credentials securely communicated across the network?		Authentication credentials are securely encrypted using industry standards	*

WVA: Infrastructure Access 3	Are accounts locked after several failed login attempts?		Locked after 3 or more failed attempts	*

WVA: Infrastructure Access 4	How long before the system automatically re-enables the account after an account lock out?		Auto unlock after 30 minutes or more	*

WVA: Infrastructure Access 5	How often are accounts reviewed for deactivation (due to inactivity, termination, etc)?		Recurring =<6 months	*

WVA: Infrastructure Access 6	Have control requirements been established for requesting, establishing, and issuing user accounts?		Yes	*

WVA: Infrastructure Access 7	How often is a review of accounts and related privileges conducted?		Accounts with access to confidential data are reviewed =<6 months	*

WVA: Infrastructure Access 8	Are controls in place to ensure all user activities on IT systems are uniquely identifiable?		Yes, all user accounts have unique IDs and are not shared	*

WVA: Infrastructure Access 9	Are access rights immediately adjusted for users who have changed jobs?		Yes, as requested by management	*

WVA: Infrastructure Access 10	Is a documented termination procedure followed which includes the removal of access rights?		Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.	*

WVA: Application Password Controls 1	Does the application that houses Whirlpool information conform to the exact access and password controls for your infrastructure?		Yes	*

WVA: Application Password Controls 2	Does the authentication method to gain access to the application utilize passwords?		Passwords are used	*

WVA: Application Password Controls 3	What is the minimum password length available to end-users?		Requires at least 6 characters	*

WVA: Application Password Controls 4	How often are end-users forced to change their passwords for the application?		Quarterly	*

WVA: Application Password Controls 5	What are the minimum application password complexity requirements being enforced for end-users?		Mixed case alphabetic, numeric, and plus special characters	*

WVA: Application Password Controls 6	Are end-users restricted from using previous application passwords (password history)?		No password re-use restrictions	*

WVA: Application Password Controls 7	Are users forced to change their application password during first login?		Users are forced to change passwords on first login	*

WVA: Application Password Controls 8	Are passwords hidden during authentication?		Passwords characters are masked	*

WVA: Application Password Controls 9	Is a complete & current mechanism in place to report & reset lost or compromised application passwords?		Secure self service password reset mechanism	*

WVA: Application Access Controls 1	When the application authentication fails, is the user informed of which portion of the authentication process failed?		Message indicates which portion of the authentication process failed	*

WVA: Application Access Controls 2	Are application authentication credentials securely communicated across the network?		Authentication credentials are securely encrypted using industry standards	*

WVA: Application Access Controls 3	Are application accounts locked after several failed login attempts?		Locked after 3 or more failed attempts	*

WVA: Application Access Controls 4	How long before the system automatically re-enables the application account after an account lock out?		No auto unlock, manual administrator unlock only	*

WVA: Application Access Controls 5	How often are application accounts reviewed for deactivation (due to inactivity, termination, etc)?		Recurring =<6 months	*

WVA: Application Access Controls 6	Have application control requirements been established for requesting, establishing, and issuing user accounts?		Yes	*

WVA: Application Access Controls 7	How often is a review of application accounts and related privileges conducted?		Accounts with access to confidential data are reviewed =<6 months	*

WVA: Application Access Controls 8	Are controls in place to ensure all user activities in the application are uniquely identifiable?		Yes, all user accounts have unique IDs and are not shared	*

WVA: Application Access Controls 9	Are application access rights immediately adjusted for users who have changed jobs?		Yes, as requested by management	*

WVA: Application Access Controls 10	Is a documented termination procedure followed which includes the removal of application access rights?		Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.	*

WVA: Vendor Portal Access and Password Control 1	Do you provide access to a web based portal?		Yes	*
					Does is conform with Infrastructure or Application password controls?	2
WVA: Vendor Portal Access and Password Control 2	Does the web portal access and password controls conform to either the infrastructure or application password and access controls?		Yes	*	Yes

WVA: Vendor Portal Access and Password Control 3	Does the authentication method to gain access to the portal utilize passwords?		Passwords are used	*

WVA: Vendor Portal Access and Password Control 4	What is the minimum password length available to end-users?		Requires at least 6 characters	*

WVA: Vendor Portal Access and Password Control 5	How often are end-users forced to change their passwords for the portal ?		Quarterly	*

WVA: Vendor Portal Access and Password Control 6	What are the minimum portal password complexity requirements being enforced for end-users?		Mixed case alphabetic, numeric, and plus special characters	*

WVA: Vendor Portal Access and Password Control 7	Are end-users restricted from using previous portal passwords (password history)?		No password re-use restrictions	*

WVA: Vendor Portal Access and Password Control 8	Are users forced to change their portal password during first login?		Users are forced to change passwords on first login	*

WVA: Vendor Portal Access and Password Control 9	Are passwords hidden during authentication?		Passwords characters are masked	*

WVA: Vendor Portal Access and Password Control 10	Is a complete & current mechanism in place to report & reset lost or compromised portal passwords?		Secure self service password reset mechanism	*

WVA: Vendor Portal Access and Password Control 11	When the portal authentication fails, is the user informed of which portion of the authentication process failed?		Message indicates which portion of the authentication process failed	*

WVA: Vendor Portal Access and Password Control 12	Are portal authentication credentials securely communicated across the network?		Authentication credentials are securely encrypted using industry standards	*

WVA: Vendor Portal Access and Password Control 13	Are portal accounts locked after several failed login attempts?		Locked after 3 or more failed attempts	*

WVA: Vendor Portal Access and Password Control 14	How long before the system automatically re-enables the portal account after an account lock out?		Auto unlock after 30 minutes or more	*

WVA: Vendor Portal Access and Password Control 15	How often are portal accounts reviewed for deactivation (due to inactivity, termination, etc)?		Recurring =<6 months	*

WVA: Vendor Portal Access and Password Control 16	Have portal control requirements been established for requesting, establishing, and issuing user accounts?		Yes	*

WVA: Vendor Portal Access and Password Control 17	How often is a review of portal accounts and related privileges conducted?		Accounts with access to confidential data are reviewed =<6 months	*

WVA: Vendor Portal Access and Password Control 18	Are controls in place to ensure all user activities in the portal are uniquely identifiable?		Yes, all user accounts have unique IDs and are not shared	*

WVA: Vendor Portal Access and Password Control 19	Are portal access rights immediately adjusted for users who have changed jobs?		Yes, as requested by management	*

WVA: Vendor Portal Access and Password Control 20	Is a documented termination procedure followed which includes the removal of portal access rights?		Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.	*

Short Name	Question / Description		Answer / Value

Vendor Access to Whirlpool Data Types	What type of Whirlpool data does the vendor have access to?		Select at least 1			*
			Employee Compensation
			Country Specific Personal ID (e.g. social security number[US], social insurance number[Canada])
			Employee Health Information
			Employee Criminal Information
			Employee Contact Information
			Employee Benefits Information
			Employee Performance/Talent Ratings
			Employee Emergency Contact Information
			Employee Demographic Information
			Credit Card Information
		X	Consumer Contact Information
			Customer Service Center Call History
			Prospective Customer Information
			Consumer Demographic Information
			Pre-release Financial Information
			Business Development Information
			Board and Executive Committee Materials
			Restructuring Information
			Corporate Strategy
			Regional Trade Sensitive Information
			Aggregate Corporate Forecast and Planning Information
			Historical Earnings Information
			Capital Plan and Spend Information
			Treasury Information
			Tax Information
			Internal Audit Information
			Supply Chain Cost Information
			IS Security Incident Information
			IS Vulnerability Information
			Application Code and Documentation
			System Performance Information
			Detailed System Information

Vendor Access to Whirlpool Data	What type of access does the vendor have to Whirlpool data?		Select at least 1			*
		X	Systemic
			Adhoc or Limited
			Read Only Access




Whirlpool Corporation Page 1 of 1 Confidential


























































No, back-up copies are stored onsite






















































































































Yes, DMZ’s exist for internal and external network












































Users are not forced to change passwords on first login
Users are forced to change passwords on first login






Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user






















Ad hoc reviews and updates













Accounts are reviewed on a ad hoc basis



















































Users are not forced to change passwords on first login
Users are forced to change passwords on first login






Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user






















Ad hoc reviews and updates













Accounts are reviewed on a ad hoc basis






















































Users are not forced to change passwords on first login
Users are forced to change passwords on first login






Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user






















Ad hoc reviews and updates













Accounts are reviewed on a ad hoc basis

Shafiq Alibhai

Dumping ground for micro-posts, designs, code, commentary, ideas and mostly plain randomness.

Third party assessment document

Download Blank Third Party Assessment